Hi,
This is V2 of patches. I changed patch 3 a bit. In user visible message, changed string "secureboot" to "Secure Boot".
Following patch series contains changes to kdumpctl for supporting kdump on secureboot enabled machines. Kernel patches are not available in latest fedora kernel.
There is one kexec-tools patch required to be backported. That will follow in a separate mail.
Thanks Vivek
Vivek Goyal (3): kdumpctl: Do not redirect error messages to /dev/null kdumpctl: Use kexec file based mode to unload kdump kernel kdumpctl: Use kexec file based syscall for secureboot enabled machines
kdumpctl | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-)
Does anybody know why are we redirecting stderr to /dev/null when using kexec load/unload commands? This sounds wrong to me. In case of error I have no idea what went wrong.
Systemctl already puts all the information in journal. So if we are worried that user will be bombarded with error messages, that should not be a concern.
So do not redirect stderr to /dev/null.
Signed-off-by: Vivek Goyal vgoyal@redhat.com --- kdumpctl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kdumpctl b/kdumpctl index 70d30fa..bb98225 100755 --- a/kdumpctl +++ b/kdumpctl @@ -435,7 +435,7 @@ load_kdump()
$KEXEC $KEXEC_ARGS $standard_kexec_args \ --command-line="$KDUMP_COMMANDLINE" \ - --initrd=$TARGET_INITRD $kdump_kernel 2>/dev/null + --initrd=$TARGET_INITRD $kdump_kernel if [ $? == 0 ]; then echo "kexec: loaded kdump kernel" return 0 @@ -826,7 +826,7 @@ stop_fadump()
stop_kdump() { - $KEXEC -p -u 2>/dev/null + $KEXEC -p -u if [ $? != 0 ]; then echo "kexec: failed to unload kdump kernel" return 1
Currently old kexec syscall denies unloading a kernel if secureboot is enabled. I think this is not right behavior and should be changed. But for now, use new syscall if secureboot is enabled and that allows unloading kernel.
Signed-off-by: Vivek Goyal vgoyal@redhat.com --- kdumpctl | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/kdumpctl b/kdumpctl index bb98225..9403d61 100755 --- a/kdumpctl +++ b/kdumpctl @@ -826,7 +826,12 @@ stop_fadump()
stop_kdump() { - $KEXEC -p -u + if is_secure_boot_enforced; then + $KEXEC -s -p -u + else + $KEXEC -p -u + fi + if [ $? != 0 ]; then echo "kexec: failed to unload kdump kernel" return 1
Now kexec file based syscall can be used with secureboot enabled machines. Automatically switch to using new syscall if secureboot is enabled on the machine.
Also remove the old message where kdump service failed if secureboot is enabled. That's not the case anymore.
v2: Renamed "secureboot" to "Secure Boot" in user visible message.
Signed-off-by: Vivek Goyal vgoyal@redhat.com --- kdumpctl | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/kdumpctl b/kdumpctl index 9403d61..ee3214a 100755 --- a/kdumpctl +++ b/kdumpctl @@ -433,6 +433,14 @@ load_kdump()
KDUMP_COMMANDLINE=`prepare_cmdline`
+ # For secureboot enabled machines, use new kexec file based syscall. + # Old syscall will always fail as it does not have capability to + # to kernel signature verification. + if is_secure_boot_enforced; then + echo "Secure Boot is enabled. Using kexec file based syscall." + KEXEC_ARGS="$KEXEC_ARGS -s" + fi + $KEXEC $KEXEC_ARGS $standard_kexec_args \ --command-line="$KDUMP_COMMANDLINE" \ --initrd=$TARGET_INITRD $kdump_kernel @@ -702,11 +710,6 @@ is_secure_boot_enforced()
check_kdump_feasibility() { - if is_secure_boot_enforced; then - echo "Secure Boot is Enabled. Kdump service can't be started. Disable Secure Boot and retry" - return 1; - fi - if [ ! -e /sys/kernel/kexec_crash_loaded ]; then echo "Kdump is not supported on this kernel" return 1